Support for Drupal 7 is ending on 5 January 2025—it’s time to migrate to Drupal 10! Learn about the many benefits of Drupal 10 and find migration tools in our resource center.
Problem/Motivation
The order off permissions in user.role.*.yml
does not matter. The array_diff
in Role::revokePermission
does not normalize the array keys this leads to huge diffs during config export, because the array is treated as associative array in YAML.
Proposed resolution
Normalize the stored permissions via grantPermission/revokePermission.
Remaining tasks
User interface changes
API changes
Comment | File | Size | Author |
---|---|---|---|
#45 | 2409129-45.patch | 6.97 KB | webflo |
#41 | 2409129-41.patch | 6.91 KB | webflo |
#41 | 2409129-41.interdiff.txt | 1.21 KB | webflo |
#39 | 2409129-39.interdiff.txt | 679 bytes | webflo |
#39 | 2409129-39.patch | 5.69 KB | webflo |
Comments
Comment #1
webflo CreditAttribution: webflo commentedComment #2
k4v CreditAttribution: k4v commentedTest added.
Comment #3
k4v CreditAttribution: k4v commentedComment #8
k4v CreditAttribution: k4v commentedfix
Comment #9
alimac CreditAttribution: alimac commentedWe should all try and use the same sprint tag. According to https://groups.drupal.org/node/447258 it should be SprintWeekend2015.
Comment #10
k4v CreditAttribution: k4v commentedComment #12
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #15
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #16
tstoecklerDiscussed this with @webflo in person:
The previous code did not work because $uids was never populated. This now makes it work the way it seemingly was supposed to work all along. The question is whether that actually makes sense because the titles of the permissions are displayed but they are now sorted by machine name. But I guess having some sort of deterministic sorting - even if it is not exactly intuitive - is better than complete randomness. So I would say let's leave that in for now. Especially because of the test coverage, this will actually reduce the fragility of the testing system.
Let's remove the $debug, though ;-)
Since we have to re-roll anyway, could be using \Drupal\KernelTests\KernelTestBase (TNG)
For extra credit, then replace assertIdentical() -> assertEquals().
Comment #17
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #18
tstoecklerAwesome, thanks a lot!
KTBTNG++
Comment #20
claudiu.cristeaI don't understand why we need the
::normalize()
wrapper to wrap a single PHP function. And the name is about normalizing while we are doing a sorting. Drop the method and usesort()
directly ingrantPermission()
and. EDIT:revokePermission()
revokePermission()
doesn't need any sorting. Normally it should keep the same order as before revoking.Why not adding the same
sort()
inRole::getPermission()
and this change we can avoid.{@inheritdoc}
Inline?
Let's use modern array representation with square brackets. Also this can be written in more compact way, by chaining the method calls:
Comment #21
claudiu.cristeaExtra.
All roles tests are named following the pattern:
UserRole*Test
. Let's use the same convention.Comment #22
kgoel CreditAttribution: kgoel at Forum One commentedI am working on it.
Comment #23
kgoel CreditAttribution: kgoel at Forum One commentedrevokePermission() does need sorting because we would need to sort users in alphabetical order after the user is deleted and also sort removes array key.
Since grantPermission() and revokePermission() are already sorted so you can't change the permissions
Comment #24
webflo CreditAttribution: webflo at UEBERBIT GmbH commented#23 addressed the concerns from #20. We have to sort on revokePermission because we want to normalize the array keys after we removed a permissions with array_diff.
Comment #25
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #26
claudiu.cristea#20 is not addressed. Why keeping the useless
::normalize()
?Not enough. A piece of code can bypass the grantPermission() sort in this way:
array_diff() is not touching the order of first array in the arguments list.
See #20.
See #20.
Comment #27
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedRight, but we have to reset the array keys. We could add array_value to make it more obvious, but sort resets the permissions already.
Comment #30
dawehnerIMHO this is a weak point ... we have an API and module authors don't use it. This is a clear problem. When you use an API, you get benefits, when you don't, your life will be bad.
Well, this is not really the point here. This is about array keys, let me show an example: https://3v4l.org/Yf6Zq
As you see this is not longer a simple list with increasing array index, which results in a completely different YAML output.
@webflo and myself talked about that issue and we came to the conclusion on presave would be ideal, but we should skip the resorting, in case we actually sync configuration.
Comment #31
dawehnerComment #32
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedAlright, lets keep it simple.
Comment #33
dawehnerI love it. I've had merge conflicts because of this issue on every single issue.
Comment #35
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedComment #36
claudiu.cristeaGreat! RTBC if green.
Comment #38
alexpottAs far as I can see we should have an upgrade path here to fix existing roles. Nice test coverage btw.
Amusing that comment is now correct :)
Comment #39
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedHere is the update path for existing roles.
Comment #40
claudiu.cristeaEmpty line before
use
But still needs test for the upgrade path.
Comment #41
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedLike this?
Comment #42
claudiu.cristeaYes :)
Should be removed.
Use the latest: drupal-8-rc1.bare.standard.php.gz
How do we know that permission were unsorted initially? I think we don't need to iterate on all roles. What we need is a single role with unsorted order. Then we assert, before running updates, that the list is not sorted and again after. If the core doesn't have such a case we need to add one via a fixture.
Comment #44
claudiu.cristeaThe file and the class names don't match. Also the class name should end with *Test.
Comment #45
webflo CreditAttribution: webflo at UEBERBIT GmbH commentedauthenticated contains permissions that are not in the correct order.
Comment #46
claudiu.cristeaHope that bot agrees. Thank you!
Comment #47
alexpottCommitted and pushed f5be97c to 8.4.x and cf6312f to 8.3.x. Thanks!
Thanks for adding the update path with tests.
Added some missing comments.